Thanks a lot for your reply Brad. CONFIG_GRKERNSEC_SYSFS_RESTRICT is indeed disabled for the kernel. I set CONFIG_GRKERNSEC_CHROOT_CAPS to 0, but to no avail.
I pasted the kernel config here: http://pastebin.com/Xwc9imXA
If you could take a quick look, it would be very much appreciated!
[ I'm not an expert, that's first ].
And I didn't inspect it in details, no time.
But I can say I do see far too many modules compiled in there. One of the rules of a secure system is to enable only those modules that you need. But you'd need to duckduck.com for it how it's done on OpenSUSE. I know that on Gentoo I have, as far as firmware, maybe 95% or more, of what installs by default, disabled (firmware and modules go together often, not always).
onzin wrote:Concerning the use of polkit/sudo/etc, yeah... I started realising since a short while ago how insecurely I use my computers, and am eager to change that. I will look into RBAC and adapt it as soon as possible. I guess if you would recommend a secure distro it would be something like Alpine or Qubes?
Haven't yet tried Qubes. I searched previously, and the good thing about Alpine is they base their system on grsecurity. But it's an old grsecurity, not supported by grsecurity developers here. Not necessarily bad!
But I prefer going with the free-testing grsecurity, and with the main, spender and PaX Team developed grsec.
If you're not afraid of work, Gentoo is, if you go with the grsecurity-hardened OpenRC (systemD is bad IMO), potentially very secure. But it is likely the hardest distro, nerds only stay with it...
Potential use: for virtually anything, packages base probably most numerous of all distros...
And grsecurity is at home, and I really hope it will stay at home for almost ever and a few more days, in Gentoo, like in no other distro...
By the way, there's no good kernel these days if these two guys here, that I mentioned above, haven't fixed it. Without grsec, it's very very poor security the Linus' kernel... Sorry to be blunt, but that's how I have been conviced, ever again, it has been the case, since long... (pls. see the link in my signature about when it started and read it carefully)
Try refute: rootkit hooks in kernel
,linux capabilities for intrusion